How the public cloud creates vulnerabilities

For most organizations, the migration to the cloud has been a mixed bag. Some have been successful in moving older client/server applications to the cloud, while others have taken a more conservative approach, moving only lower criticality applications to the cloud.

While very few organizations are the same with respect to the “use case” when it comes to migrating to the cloud, nearly all have similar opinions on the benefits and dangers of cloud computing. Each organization differs in its goals and ultimately in how they choose to securely utilize cloud computing.

The four secrets about cloud computing

  1. Cloud computing workloads on public cloud services allow multiple customers to use the same server at the same time. While there is some isolation between the tenants, mostly on the file systems or database access credentials, the systems share memory, hypervisors, CPU and network interfaces. If you are hosting a site that raises money for charity, you may be only one file or operating system error away from your neighbor on the server. Not a problem if your neighbors are well behaved, however you may be on a server with nefarious or questionable individuals. This setup is a prime target for hypervisor attacks, operating system weaknesses or worse.
  2. Cost savings are a major draw to cloud computing. CFOs were exuberant with their CIO and CTO peers on the financial benefits of cloud computing. Well, depending on how you “do the math” on the total cost of ownership, results can vary dramatically. The truth is, however, if you want to compare costs, compare apples to apples. How much per year does a “dedicated” cloud server cost? Well, on average, the difference in cost can be staggering. Not to mention the level of aforementioned security of sharing with potentially hundreds of other organizations. The answer is shocking. We have seen costs for dedicated cloud servers as high as 10 times the hourly cost of “shared” compute time. So your $500 invoice, if run as dedicated servers, would climb to over $5,000 per month or $60,000/year. At that rate you could afford to buy more compute, storage and memory for half the cost and operate it inside your data center without getting nickel and dimed to death.
  3. If you think computer security forensics are hard to do on local systems, try it with one of your cloud systems for a real challenge. How does an organization place a hold on a hard disk or SSD when 80 other organizations are using the same drive array? Not easily performed. What about memory dumps or hypervisor logs from the cloud provider? Again, not easily done or maybe impossible for some. Do you know what your cloud provider can support in terms of forensic information on a quick turnaround request? If not, time to ask.
  4. There is an old saying in risk management, “…you can accept, transfer, or eliminate a risk…”. These are three things you can do with a risk. Unfortunately, many executives and IT folks believe that they are “transferring risk” to the cloud provider for your applications. This could not be further from the truth. Cloud providers have a “shared” responsibility model that includes your responsibility to develop, deploy, patch and monitor the security of your applications. Reading the fine print in your cloud agreement should be at the top of your to-do list. That is, if you want to know what risks you are taking with a given cloud provider’s security. Source

iTM covers all aspects of cybersecurity from Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.